Lower Bounds on Signatures From Symmetric Primitives

We show that every black-box construction of one-time signature schemes from a random oracle achieves security at most poly(q)2q. where q is the total number of queries to the oracle by the generation, signing, and verification algorithms. That is, any such scheme can be broken with probability close to 1 by a (computationally unbounded) adversary making poly(q)2q queries to the oracle. This is tight up to a constant factor in the number of queries, since a simple modification of Lamport's scheme achieves 2(0.812-o(1))q security using q queries. Our results extend (with a loss of a constant factor in the number of queries) also to the random permutation and ideal-cipher oracles, and so can be taken as evidence of an inherent efficiency gap between signature schemes and symmetric primitives such as block ciphers, hash functions, and message authentication codes.

[1]  Alistair Sinclair,et al.  Improved Bounds for Mixing Rates of Markov Chains and Multicommodity Flow , 1992, Combinatorics, Probability and Computing.

[2]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[3]  Jonathan Katz,et al.  Lower bounds on the efficiency of encryption and digital signature schemes , 2003, STOC '03.

[4]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[5]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[6]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[7]  Ramarathnam Venkatesan,et al.  Random Cayley Digraphs and the Discrete Logarithm , 2002, ANTS.

[8]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[9]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[10]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[11]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[12]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[13]  Hoeteck Wee,et al.  One-Way Permutations, Interactive Hashing and Statistically Hiding Commitments , 2007, TCC.

[14]  Ramarathnam Venkatesan,et al.  Spectral Analysis of Pollard Rho Collisions , 2006, ANTS.

[15]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[16]  Omer Reingold,et al.  Finding Collisions in Interactive Protocols - A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[17]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[18]  Mihir Bellare,et al.  Uniform Generation of NP-Witnesses Using an NP-Oracle , 2000, Inf. Comput..

[19]  Ran Canetti,et al.  Efficient authentication and signing of multicast streams over lossy channels , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[20]  Edlyn Teske Square-root algorithms for the discrete logarithm problem (a survey) , 2001 .

[21]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[22]  Edlyn Teske On random walks for Pollard's rho method , 2001, Math. Comput..

[23]  J. A. Fill Eigenvalue bounds on convergence to stationarity for nonreversible markov chains , 1991 .

[24]  Ravi Montenegro,et al.  Mathematical Aspects of Mixing Times in Markov Chains , 2006, Found. Trends Theor. Comput. Sci..

[25]  Martin E. Dyer,et al.  On Counting Independent Sets in Sparse Graphs , 2002, SIAM J. Comput..

[26]  Ueli Maurer,et al.  Directed Acyclic Graphs, One-way Functions and Digital Signatures , 1994, CRYPTO.

[27]  Ueli Maurer,et al.  On the Efficiency of One-Time Digital Signatures , 1996, ASIACRYPT.

[28]  R. Graham,et al.  Random Walks Arising in Random Number Generation , 1987 .

[29]  M. Hildebrand On a question of Chung, Diaconis, and Graham , 2005 .

[30]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[31]  Daniel R. Simon,et al.  Limits on the efficiency of one-way permutation-based hash functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[32]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[33]  B. Bollobás On generalized graphs , 1965 .

[34]  J. Pollard A monte carlo method for factorization , 1975 .

[35]  Leslie G. Valiant,et al.  Random Generation of Combinatorial Structures from a Uniform Distribution , 1986, Theor. Comput. Sci..

[36]  P. Diaconis,et al.  SHUFFLING CARDS AND STOPPING-TIMES , 1986 .

[37]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[38]  P. Diaconis,et al.  COMPARISON THEOREMS FOR REVERSIBLE MARKOV CHAINS , 1993 .

[39]  Luca Trevisan,et al.  Lower bounds on the efficiency of generic cryptographic constructions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[40]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[41]  Serge Vaudenay One-Time Identification with Low Memory , 1993 .

[42]  Martin Hildebrand,et al.  On the Chung-Diaconis-Graham random process , 2005 .

[43]  P. Tetali,et al.  Mixing Time Bounds via the Spectral Profile , 2005, math/0505690.

[44]  Milena Mihail,et al.  Conductance and convergence of Markov chains-a combinatorial treatment of expanders , 1989, 30th Annual Symposium on Foundations of Computer Science.